Solved: Re: Cisco ISE PIC Passive ID - Config WMI step by step explanation

Jesper Erbs · ‎03-23-2020

Hi guys,

Do you have a step by step guide to the script, that is run on Domain Controllers when we use the 'Config WMI' button in the PassiveID configuration in ISE?

During the process of implementing PassiveID we received multiple error messages, that stated the configuration had failed, but in the end everything seemed to be configured. The connection to the Domain Controllers work when tested and the Dashboard shows everything in green.

I have two reasons for this question.

1. We don't know what failed and what we could do about it. During the process we saw multiple different error messages. In the end we received an error message, that looked a bit like this 'Failed to delete and restart service'. (Unfortunately I didn't get a screenshot). When implementing the manual steps on a domain controller, there is no deletion of services.

2. The Active Directory team requested access to the script, which I do not have. It makes very good sense, that they want to know what a script run by a Domain Admin user does to their domain controllers.
I understand if you do not want to give us access directly to the script, but could you provide us with a step-by-step guide that explains the actions on each step?

I was referred to this previous post in the community, which sums up the tasks done by the script, but it doesn't help the customer or me troubleshoot the errors after the script has run.

https://community.cisco.com/t5/network-access-control/configure-wmi/m-p/3489082

BTW - Awesome that you included the possibility of automatically configuring the WMI in Active Directory. In the past we had to do the configuration manually and it takes quite a bit of time on 35 domain controllers.

Thanks.

hslai · ‎03-24-2020

The way to troubleshoot is very rudimentary so that we manually check whether the domain controller(s) configured based on Active Directory Requirements to Support Easy Connect and Passive Identity services,

The errors you indicated below are related to ISE using iseExec (similar to psExec) to deliver the files and run the script(s).

Please open a TAC case if you really need a copy of the exact script. i do not have a copy and, even I do, I can't share it here.

View solution in original post

hslai · ‎03-24-2020

The way to troubleshoot is very rudimentary so that we manually check whether the domain controller(s) configured based on Active Directory Requirements to Support Easy Connect and Passive Identity services,

The errors you indicated below are related to ISE using iseExec (similar to psExec) to deliver the files and run the script(s).

Please open a TAC case if you really need a copy of the exact script. i do not have a copy and, even I do, I can't share it here.

Jesper Erbs · ‎03-26-2020

Hi hslai,

Thanks for the reply.

We will create a TAC case, if we experience further issues.

But could you not have documented the steps of the script further without giving full access to the script?

hslai · ‎03-26-2020

hmm..

What documented in ISE Admin Guide is what the script automating on.

Jesper Erbs · ‎03-27-2020

We have to give the ISE deployment an Active Directory Domain Admin account, which most customers need much convincing to do. If we have full transparency, it is a much easier sell. Like I wrote earlier, I love the simplicity in the 'Config WMI' button, but Umbrella for example has a downloadable script to perform the same functions, which give us full transparency.

I accept your response, but I would really love to see it further documented, so that we are able to troubleshoot error messages, such as the below:

'The IseExec remote copy failed to open the remote file'

Thanks for your help.